E-discovery: Preserving, collecting and using Internet histories

We’re not quite The Jetsons yet, and robots don’t seem to be making good on their plans for world domination. But computers and the Internet are playing a growing role in our lives. Activities and interactions that once took place offline, leaving little to no tangible trace, are being shifted online through a proliferation of websites, secured servers and mobile device applications.

Our employees’ computers keep a record of their web browsing and the programs they use, which can all be recovered and recreated in the right hands. Privacy concerns have garnered much more attention than the vital application of this data on fact investigation and litigation. Internet histories, browser caches, lists of recent files and programs and deleted data fragments can all provide critical evidence that is essential to winning a case. Yet, this data is as fragile as it is crucial,and care and experience must be brought to ensuring its preservation and production.

Uses of ephemeral data

One of the clearest cases for the need to obtain Internet browser histories appears in Nacco Materials Handling Group, Inc. v. Lilly Co., 278 F.R.D. 395 (W.D. Tenn. 2011). The plaintiff, a manufacturer of lift trucks, maintained a secured server to permit its service providers access to information about parts and repairs, pricing and strategy. The defendant had been an authorized service provider of the plaintiff’s vehicles, but subsequently lost that status; however, the defendant’s employees continued to access the server. The number of times the server was accessed, by whom, when and for what purpose presumably all are issues that will arise during the case.

A case from the New York state courts, Tener v. Cramer, 931 N.Y.S.2d 552 (N.Y. App. Div. 1stDep. 2011), provides a starker example of the need for discovery ofephemeral Internet data. The defendant allegedly posted defamatory statements about the plaintiff on a website from a shared computer at a New York University hospital. The shared computer required a username and password, and the plaintiff sought that log from the university (which was not a party to the case) in order to definitively connect the allegedly defamatory statement to the defendant.

In both instances, the plaintiffs would have had gaping holes in their proof without access to the data stored on the defendant’s or third party’s computers.

Documents, metadata and more

Browser histories differ from word processing documents or their metadata in important ways. A Word document is intentionally created by a user to record or present information of some kind. Metadata is created along the way by the computer to record information about the document, such as who created it, when or when it was last edited. Metadata is created as the file is used in the ordinary course of its lifecycle. The file retains the metadata as part of the file itself.

In contrast, these other types of fleeting data record how a computer was used. For instance, an Internet browser history consists of the collective list of all of the websites the user has accessed and copies of those websites that are stored in the browser’s cache. The computer stores all of this information to improve the user’s experience. A record of websites you visit frequently helps you get back to the New York Times quickly, without having to retype the web address or use a search engine. The copy of the site kept in the cache speeds up the routine of opening Facebook each morning.

These files cannot easily be collected and produced. In fact, they are typically excluded during the processing of a traditional collection—if they are captured at all. In order to capture the Internet history, you need to collect and analyze the entire computer.

Forensic technology specialists make bit-by-bit copies, called forensic images or mirror images, to gather all of this data, review it and analyze it. Back in their labs, they can piece together the last time a computer was turned on; who logged on to the computer; whether any CDs, thumb drives or external hard drives had been plugged in to the computer; and what programs and files were recently opened. They can also tell what websites you visited and recover copies of the sites as they appeared when you viewed them. This data is not necessary to every case, but, as we have seen, some cases are won solely because of the collection of this evidence.

Costs, burdens and obligations

When ephemeral data such as a browser history is relevant to litigation, it is not sufficient to argue that the data is “inaccessible” as that term is used in the Federal Rules of Civil Procedure and cases such as Zubulake. You will need to identify, preserve, collect and produce this data—or be prepared to justify in detail why it is too expensive for you to do so.

The Federal Rules take undue cost and burden on the producing party into account when making determinations about whether data should be produced, but the importance of the evidence is also a factor. If your data is the only source of documentation for a certain fact, you may be ordered to produce it.

So, what do you do? The first step is to hire a forensic technologyconsultant who can act as a trusted adviser. Then, deal with your obligations as soon as possible. If you are seeking production of evidence that can be destroyed just by ongoing use of a computer, send a preservation notice early and consider moving for expedited discovery. If your evidence will be requested, issue litigation holds, make forensic images and have conversations with the other side about the scope and costs of preservation and collection. Finally, if you seek to avoid production of this type of data, be prepared to provide detailed explanations to the court about the burden, including price estimates.